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Abstract 

We prove new lower bounds for locally decodable codes and private information retrieval. We 
show that a 2-query LDC encoding n-bit strings over an ^-bit alphabet, where the decoder only 

uses b bits of each queried position, needs code length m ~ exp ^il ^i^^^y — ' ^^^^^'^^y' 

a 2-server PIR scheme with an n-bit database and t-hit queries, where the user only needs b 

bits from each of the two £-hit answers, unknown to the servers, satisfies t — Q 



This implies that several known PIR schemes are close to optimal. Our results generalize those 
of Goldreich et al. [H], who proved roughly the same bounds for linear LDCs and PIRs. Like 
earlier work by Kerenidis and de Wolf jl2) . our classical bounds are proved using quantum com- 
putational techniques. In particular, we give a tight analysis of how well a 2-input function can 
be computed from a quantum superposition of both inputs. 



1 Introduction 

1.1 Locally decodable codes 

Error correcting codes allow reliable transmission and storage of information in noisy environments. 
Such codes often have the disadvantage that one has to read almost the entire codeword, even 
if one is only interested in a small part of the encoded information. A locally decodable code 
C : {0, 1}" S"^ over alphabet S is an error-correcting code that allows efficient decoding of 
individual bits of the encoded information: given any string y that is sufficiently close to the real 
codeword C{x), we can probabilistically recover any bit of the original input x, while only looking 
at k positions of y. The code length m measures the cost of the encoding, while k measures the 
efficiency of decoding individual bits. Such codes have had a number of applications in recent 
computer science research, including PCPs and worst-case to average-case reductions. One can 
also think of applications encoding a large chunk of data in order to protect it from noise, where 
we are only interested in extracting small pieces at a time. Imagine for example an encoding of all 
books in a library, where we would like to retrieve only the first paragraph of this paper. 
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The main complexity question of interest is the tradeoff between m and k. With k = polylog(n) 
queries, the code length can be made polynomially small, even over the binary alphabet S = 
{0, 1} IS]. However, for fixed k, the best upper bounds are super polynomial. Except for the k = 2 
case with small alphabet S, no good lower bounds are known. Katz and Trevisan JOl showed 
superlinear but at most quadratic lower bounds for constant k. Goldreich et al. [S] showed an 
exponential lower bound for linear codes with k = 2 queries and constant alphabet, and Kerenidis 
and de Wolf extended this to all codes, using techniques from quantum computing. For 
S = {0, lY they prove m = 2^("/^''^). They also slightly improved the polynomial bounds of ^U] 
for k > 2. 

Clearly the above lower bound becomes trivial if each position of the codeword has i > log(n)/5 
bits. In this paper we analyze the case where i can be much larger, but the decoder uses only b bits 
out of the i bits of a query answer. The b positions that he uses may depend on the index i he is 
interested in and on his randomness. This setting is interesting because many existing constructions 
are of this form, for quite small b. Goldreich et al. [H] also analyzed this situation, and showed the 
following lower bound for linear codes: m = 2 ^"■/^i=o a)) . Here we prove a slightly weaker lower 
bound for all codes: m = 2^^"/^ Ej=o(i)), particular, if b = £ (so the decoder can use all bits 
from the query answers) we improve the bound from 12 to m = 2^^"'/^ \ We lose a factor of 2^* 
compared to Goldreich et al. This factor can be dispensed with if the decoder outputs the parity 
of a subset of the bits he receives. All known LDCs are of this type. 

Our proofs are completely different from the combinatorial approach of Goldreich et al. Fol- 
lowing [C, we proceed in two steps: (1) we reduce the two classical queries to one quantum query 
and (2) show a lower bound for the induced one-quantum-query-decodable code by deriving a 
random access code from it. The main novelty is a tight analysis of the following problem. Sup- 
pose we want to compute a Boolean function /(ao,ai) on 26 bits, given a quantum superposition 
-^(|0, ao) + |1, ai)) of both halves of the input. We show that any Boolean / can be computed with 

advantage 1/2*"'"^ from this superposition, and that this is best-achievable for the parity function. 
This may be of independent interest. In fact, Kerenidis jllj recently used it to exhibit an exponen- 
tial quantum-classical separation in multiparty communication complexity, and in an interesting 
new approach to improve depth lower bounds for classical circuits. 

1.2 Private information retrieval 

There is a very close connection between LDCs and the setting of private information retrieval. 
In PIR, the user wants to retrieve some item from a database without letting the database learn 
anything about what item he asked for. In the general model, the user retrieves the ith bit from 
an n-bit database that is replicated over > 1 non-communicating servers. He com- 

municates with each server without revealing any information about i to individual servers, and 
at the end of the day learns Xj. This is a natural cryptographic problem that has applications in 
systems where privacy of the user is important, for example databases providing medical informa- 
tion. Much research has gone into optimizing the communication complexity of one-round PIR 
schemes. Here the user sends a t-bit message ("query") to each server, who responds with an £-bit 
message ("answer"), from which the user infers Xj. A number of non-trivial upper bounds have 
been found IZIESEI; but, as in the LDC case, the optimality of such schemes is wide open. In 
fact, the best known constructions of LDCs with constant k come from PIR schemes with k servers. 
Roughly speaking, concatenating the servers' answers to all possible queries gives a codeword C{x) 
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of length m = A;2* over the alphabet S = {0, 1}^ that is decodable with k queries. The privacy of 
the PIR scheme translates into the error-correcting property of the LDC: since many different sets 
of k queries have to work for recovering Xj, we can afford some corrupted positions. Conversely, 
we can turn a fc-query LDC into a fc-server PIR scheme by asking one query to each server (so 
t = logm). The privacy of the resulting PIR scheme follows from the fact that an LDC can be 
made to have a "smoothness" property, meaning that most positions are about equally likely to be 
queried, independent of i. 

Here we restrict attention to 2 servers, which is probably the most interesting case. The paper 
by Chor et al. that introduced PIR, gave a PIR scheme where both the queries to the servers 
and the answers from the servers have length bits. Later constructions gave alternative 

ways of achieving the same complexity, but have not given asymptotic improvements for the 2- 
server case (in contrast to the case of 3 or more servers jE] and the case of 2 quantum servers jl2j). 
Though general lower bounds for 2-server PIRs still elude us, reasonably good lower bounds can be 
proved for schemes that only use a small number b of bits from each possibly much longer answer 
string. This b is sometimes called the probe complexity of the scheme. As stated in 0, small probe 
complexity is a desirable property of a PIR scheme for a number of reasons: the user needs less 
space; the schemes can be more easily applied recursively as in and such PIR schemes induce 
locally decodable codes where the codelength m is relatively small while the codeword entries are 
allowed to have many bits each, but the decoder needs only few bits from each codeword entry it 
read. 

As was implicitly stated by Katz and Trevisan JOl and formalized by Goldreich et al. [Jj, it 
is possible to translate 2-server PIRs to 2-query LDCs, where the property of only using b bits 
from each ^-bit string carries over. Combining this lemma with our LDC lower bounds gives the 
following bound for 2-server PIRs with t-bit queries, ^-bit answers, and probe complexity b: t = 
Q{n/2^ X]i=o (i))' particular, for fixed b the overall communication is C = 2{t-\-£) = ^{n^^^^^'^^). 
This is tight for 6=1 (we describe an 0{^/n) scheme in Section |2| and close to optimal for 6 = 3, 
since a small variation of the Chor et al. scheme achieves C = 0(n^/^) using only 3 bits from each 
answer ^, while our bound is r2(n^/^). Similar results were established for linear PIR schemes by 
Goldreich et al., but our results apply to all PIR schemes. They imply that in improved 2-server 
PIR schemes, the user needs to use more bits from the servers' answers. For general schemes, 
where b = i, we obtain t = n{n/2^^). This improves the bound from T?. It implies a lower 

bound of 51ogn on the total communication C = 2{t + I). This is incredibly weak, but without 
any assumptions on how the user handles the answers, and still improves what was known |13|ll2j. 

2 Preliminaries 

We use a|5 to denote the string a restricted to a set of bits 5" C [n] = {1, . . . , n}, e.g., 11001|{i^4_5}. = 
101. We identify a set 5 C [n] with n-bit string S = Si . . . Sn, where i S S" if and only if the ith bit 
Si = 1. We use for the ra-bit string corresponding to the singleton set S = {i}. If y G S™' where 
S = {0, 1}^, then yj € S denotes its jth entry, and yj^i with i G [£] is the ith bit of yj. We assume 
general familiarity with the quantum model 115 . Our proofs depend heavily on the notion of a 
quantum query. We consider queries with ^-bit answers, where £ > 1. For S = {0, 1}^, a quantum 
query to a string y E is the unitary map \j)\z) ^ \j)\z © yj), where j S [m], z G {0, 1}^ is 
called the target register, and z © yj is the string resulting from the xor of the individual bits of z 

polynomial-based 0(n^''^)-sclieme from ^ does not have this "small 6"-property. 
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and yj, i.e. z (B yj = {zi © yj^i) . . . {z£ (B yj/)- It is convenient to get the query result in the phase 
of the quantum state. To this end, define \zt) = (S)i=i(|0) + ("l)"^'!!)) where Tj is the ith bit 
of the i-hit string T. Since \0®yji) + ® yj i) = {-l)^'-y^''{\0) + a query maps 

\j)\zT)^m-iry^\zT). 

A locally decodable code is an error-correcting code that allows efficient decoding of individual 
bits. 

Definition 1 C : {0,1}" is a (/c, (5, e) -locally decodable code (LDC), if there exists a clas- 

sical randomized decoding algorithm A with input i £ [n] and oracle access to a string y G such 
that 

1. A makes k distinct queries ji, ■ ■ ■ ,jk to y, non-adaptively, gets query answers oi = . . . , = 
yj^, and outputs a bit /(oi, . . . ,aA,.); where f depends on i and A's randomness. 

2. For every x E {0, 1}", i G [n] and y G S™" with Hamming distance d{y,C{x)) < 6m we have 
Pr[/(ai,...,afc) = x,] > 1/2 + £. 

Here probabilities are taken over A's internal randomness. For S = {0, 1}^, we say the LDC uses b 
bits, if A only uses b predetermined bits of each query answer: it outputs /(ai|5j, . . . ,0^15^.) where 
the sets Si, . . . ,Sk are of size b each and are determined by i and A 's randomness. 

In our arguments we will use smooth codes. These are codes where the decoding algorithm 
spreads its queries "smoothly" across the codeword, meaning it queries no code location too fre- 
quently. 

Definition 2 C : {0, 1}" — > S"^ is a (A:, c, e) -smooth code (SC) if there is a randomized algorithm 
A with input i € [n] and oracle access to C{x) s.t. 

1. A makes k distinct queries ji,...,jk to C{x), non-adaptively, gets query answers ai = 
C(x)ji , . . . , Ofc = C{x)jf, and outputs a bit /(oi, . . . , ak), where f depends on i and A 's ran- 
domness. 

2. For every x S {0, 1}" and i € [n] we have Pr[/(ai, . . . , o^) = Xi] > 1/2 -\- e. 

3. For every x G {0, 1}", i G [n] and j € [m], Pr[A queries j] < c/m. 

The smooth code uses b bits, if A only uses b predetermined bits of each answer. 

Note that the decoder of smooth codes deals only with valid codewords C{x). The decoding 
algorithm of an LDC on the other hand can deal with corrupted codewords y that are still sufficiently 
close to the original. Katz and Trevisan Theorem 1] showed that LDCs and smooth codes are 
closely related: 

Theorem 1 (Katz & Trevisan) // C : {0,1}" is a {k,5,e)-LDC, then C is also a 

{k,k/6,e)-smooth code (the property of using b bits carries over). 

The following definition of a one-query quantum smooth code is rather ad hoc and not the most 
general possible, but sufficient for our purposes. 
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Definition 3 C : {0,1}" — > is a (1, c, e) -quantum smooth code (QSC), if there is a quantum 
algorithm A with input i G [n] and oracle access to C{x) s.t. 

1. A probabilistically picks a string r, makes a query of the form 

and returns the outcome of some measurement on the resulting state. 

2. For every x € {0, 1}" and i G [n] we have Pr[A outputs Xi] > 1/2 + e. 

3. For every x,i,j, Pr[A queries j with non-zero amplitude] < c/m. 
The QSC uses b bits, if the sets Sir, S2r have size b. 

PIR allows a user to obtain the ith bit from an n-bit database x, replicated over k > 1 servers, 
without revealing anything about i to individual servers. 

Definition 4 A one-round, {l — rf)- secure, A;-seruer private information retrieval (PIR) scheme for 
a database x £ {0,1}" with recovery probability 1/2 + e, query size t, and answer size i, consists of 
a randomized algorithm (user) and k deterministic algorithms Si, ... ,5^ (servers), such that 

1. On input i G [n], the user produces k t-bit queries qi, . . . ,qk and sends these to the respective 
servers. The jth server returns i-bit string aj = Sj {x, qj). The user outputs a bit f{ai, . . . ,ak) 
(f depends on i and his randomness). 

2. For every x G {0, 1}" and i G [n] we have Pr[/(ai, . . . , a^) = Xi] > 1/2 + e. 

3. For all x £ {0, 1}", j G [k], and any two indices ii,i2 G [n], the two distributions on qj (over 
the user's randomness) induced by ii and i2 are rj-close in total variation distance. 

The scheme uses b bits if the user only uses b predetermined bits from each Oj. The scheme is called 
linear, if for every j and qj the jth server's answer Sj{x, qj) is a linear combination (over GF{2)) 
of the bits of x. 

If ?? = 0, then the server gets no information at all about i. All known non-trivial PIR schemes 
have 7/ = 0, perfect recovery (e = 1/2), and one round of communication. We give two well-known 
2-server examples from [7]. 

Square scheme. Arrange x = xi . . . a;„ in a ^/n x ^/n square, 

/ xi X2 ••• x^ \ 

X = . 

Xi 

\ ■ Xn / 

then index i is given by two coordinates {11,12)- The user picks a random string A G {0,1}^, 
and sends y/n-hit queries qi = A and q2 = A(B e^^ to the servers. The first returns y^-bit answer 
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ai = qi ■ Ci, . . . ,qi ■ C^, where qi ■ Cc denotes the inner product mod 2 of qi with the cth column 
of X. The second server sends 02 analogously. The user selects the bit qi ■ Ci^ from ai and q2 ■ Ci^ 
from a2 and computes {A ■ Ci^) © {{A © J • Ci^) = • Ci^ = Xj. Here t = i = ^/n and 6 = 1. 

Cube scheme. A more efficient scheme arranges x in a cube, so i = (ii,i2)^3)- The user picks 
3 random strings Ti, T2, T3 of n^/^ bits each, and sends queries qi = Ti^T^^T^ and g2 = {Ti © 
Cii), (72©ej2), (r3©ei3). The first server computes the bit a = br^TiT^ = ©iieTijaeTa jseTg ^h,i2,h- 
Its answer oi is the 'n}/^ bits 67^^T2T3©fl foi' ^1 differing from Ti in exactly one place, and similarly 
all brp^rp^rp^ © 6 aud brp^^rp^rp^ © o. The second server does the same with its query 52. The user now 
selects those 3 bits of each answer that correspond to T{ = Ti © , T2 = T2 (B ei^ , T3 = T3 © Cjg 
respectively, and xors those 6 bits. Since every other xj-^j^j^ occurs exactly twice in that sum, 
what is left is ^42,43 = ^i- Here t,i = 0{n^^^) and 6 = 3. 



3 Computing f{ao, ai) from Superposed Input 
3.1 Upper bound 

To prove the lower bound on LDCs and PIRs, we first construct the following quantum tool. 
Consider a state \^aoai) = ■^(I^j'^o) + with ao,ai both 6-bit strings. We show that we can 

compute any Boolean function /(ao,ai) with bias 1/2^+^ given one copy of this state. After that 
we show that bias is optimal if / is the 26-bit parity function. The key to the algorithm is the 
following: 

Lemma 1 For every f : {0,1}2^ {0,1} there exist non-normalized states \ipa) such that U : 
l«>|0) ^ ju E^e{o,i}''(-l)^^"'"V>|0) + Iv'a)!!) is unitary. 

Proof. Let {tpa) = (1/2^) Et«6{o,i}''(-l)^^"''"V)|0) + Ml^)- It is easy to see that U can be 
extended to be unitary if and only if {ipa\ipa') = ^aa' for all a, a'. We will choose \ipa) to achieve 
this. First, since {wlw') = S^w' and {w,Q\(pa, 1) = 0: 

m^a') = ^, E (-l/(-''^)+^(-''^') + (v^a|^aO- 

toe{o,i}'' 

Let C be the 2^ x 2^ matrix with entries Caa' = (1/2^^) E«,e{o,i}''(-l)^^"''"^^^^"''"'^ where the indices 
a and a' are 6-bit strings. Prom the definition of Caa' we have \Caa'\ ^ 1/2''. By ^ Corollary 6.1.5], 
the largest eigenvalue is 

Amax(C) < min J max ^ |Caa/|,max ^ |Ca„/| > < ^ ^ ^ ^' 

[ a'e{0,l}'' ^ ae{0,l}* J ae{0,l}'' 

However, Xmax{C) < 1 implies that I — C is positive semidefinite and hence, by [9, Corollary 7.2.11], 
I — C = A for some matrix A. Now define to be the ath column of A. Since the matrix 
C + j4"I'A = / is composed of all inner products (V'al^a')) have (V'alV'a') = ^aa' and it follows that 
IJ is unitary. □ 

Using these observations, we can now prove the following theorem. 
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Theorem 2 Suppose f : {0, l}^'' {0, 1} is a Boolean function. There exists a quantum algorithm 
to compute /(ao,ai) with success probability exactly 1/2 + 1/2^^^ using one copy of l^aoai) = 
^(|0,ao) + |l,ai)), with ao,ai G {0, l}^ 

Proof. First we extend the state \^aoai) by a |0)-qubit. Let U be as in Lemmas Applying the 
unitary transform |0)(0| ® 1®''+^ + \1){1\(^U to |^'aoai)|0) gives 



|0)|ao)|0) + |l) V (-l/("'''^^)|u;)|0)+|v.,,)|l) 





Define |r) = |ao)|0) and |A) = ^ ("l)^^"'"' V)|0) + Iv'ai)!!). Then (r|A) = ^(-l)/(«o,ai) and 
the above state is -ij(|0)|r) + |1)|A)). We apply a Hadamard transform to the first qubit to get 
^ (|0)(|r) + |A)) + |l)(|r) — |A))) . The probability that a measurement of the first qubit yields a 

is |(r + A|r + A) = ^ + ^(r|A) = ^ + ^"-^-^e+t——- Thus by measuring the first qubit we obtain 
/(ao,ai) with bias 1/2^+'^. □ 



3.2 Lower bound 

To prove that this algorithm is optimal for the parity function, we need to consider how well we 
can distinguish two density matrices po and pi, i.e., given an unknown state determine whether it 
is Po or pi. Let || A \\^^ denote the trace norm of matrix A, which equals the sum of its singular 
values. 

Lemma 2 Two density matrices po and pi cannot be distinguished with probability better than 
1/2 + II PO - Pi ||,,/4. 

Proof. The most general way of distinguishing pQ and pi is a POVM JS] with two operators £"0 
and El, such that po = ir(/3o-E'o) > 1/2 + s and go = tr{piEo) < 1/2 — e. Then \pQ — go| > 2e 
and likewise, \pi — qi\ > 2e, for similarly defined pi and qi. By ^1 Theorem 9.1], || Po — Pi lltr ~ 
max^Eo,Ei}{\Po - Qo\ + \pi - 9i|) and thus || po - pi \\^^ > 4e. Hence e < || po - pi 11^^/4. □ 

Theorem 3 Suppose that f is the parity of aofli . Then any quantum algorithm for computing f 
from one copy of 1^*0001) hos success probability < 1/2 + 1/2^"^^. 

Proof. Define po and pi by pc = ^hiY^aoaief-^c) l^aoai)(^aoail' with c G {0,1}. A quantum 
algorithm that computes parity of oqUi with probability 1/2 + e can be used to distinguish po and 
pi. Hence by Lemma 121 e< II Po — Pi Wtr/^- Let74 = po — pi. It is easy to see that the |0, oo)(0, ao|- 
entries are the same in po and in pi, so these entries are in A. Similarly, the |l,ai)(l,ai|-entries 
in A are 0. In the off-diagonal blocks, the |0, ao)(l, ai |-entry of A is (-l)l»ol+l»il/22^ For {(p) = 
E.e{o,i}''(-l)'"'l«^) have \^){^\ = j,J2^^^^^{-l)M+M\^^^ai\ and A = ^(|0, 0)(1, <A| + 
\l,(j)){0,(p\). Let U and V be unitary transforms such that U\0,(p) = |0,0''), U\l,4>) = \1,0'') 
and V\0,(l)) = 11,0''), V\l,(l)) = |0,0^), then UAV^ = ^(C/|0, (/.)(1, (/)|yt + 0)(o, </,|yt) = 

^(|0,0'')(0,0''| + |1,0^)(1,0^|). The two nonzero singular values of UAV'< are both l/2^ hence 
II PC - pi II,, = II A II,, = II UAV^ II,, = 2/2^ Therefore e < || po - Pi ||„/4 = 1/2''+!. □ 
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4 Lower Bounds for LDCs that Use Few Bits 

We now make use of the technique developed above to prove new lower bounds for 2-query LDCs 
over non-binary alphabets. First we construct a 1-query quantum smooth code (QSC) from a 2- 
query smooth code (SC), and then prove lower bounds for QSCs. In the sequel, we will index the 
two queries by and 1 instead of 1 and 2, to conform to the two basis states |0) and |1) of a qubit. 

4.1 Constructing a 1-query QSC from a 2-query SC 

Theorem 4 If C : {0,1}" ({0,1}^)"^ is a {2, c,e)- smooth code that uses b bits, then C is a 
{l,c,e/2^)-quantum smooth code that uses b bits. 

Proof. Fix index i G [n] and encoding y = C{x). The 1-query quantum decoder will pick a 
random string r with the same probability as the 2-query classical decoder. This r determines two 
indices jo,ji G [m], two 6-element sets So, Si C [£], and a function / : {0,1}^* —>■ {0,1} such that 
Pr[/(yjp|5g, yj^l^J = Xi] =p> | -|- e, where the probability is taken over the decoder's randomness. 
Assume for simplicity that jo = and ji = 1, and define ao = VjoiSo ^^'^ = yjilS'i- 
construct a 1-query quantum decoder that outputs /(ao,ai) with probability 1/2 -|- 1/2^"*"^, as 
follows. The result of a quantum query to jo and ji is 



Note that we write oq • T instead of yj^ ■ T, since T C So and therefore the inner product will be the 
same. We can unitarily transform this to -^(|0)|ao) + |l)|ai)). By Theorem|2l we can compute an 

output bit o from this such that Pr[o = /(ao, ai)] = 1/2 -|- 1/2^+^. The probability of success is then 
given by Pr[o = Xi] = Pr[o = /(ao, ai)] Pr[xi = /(ao,ai)] + Fr[o / f{ao,ai)]FT[xi / /(ao,ai)] = 
(1/2 + l/2^+^)p +{1/2- l/2^+i)(l -p)>l/2 + e/2^. Since no j is queried with probability more 
than c/m by the classical decoder, the same is true for the quantum decoder. □ 

4.2 Improved lower bounds for 2-query LDCs over an i-hit alphabet 

Our lower bound for 2-query LDCs uses the following notion, due to |2j. 

Definition 5 A quantum random access code is a mapping x ^ px of the n-bit strings x into 
m-qubit states px, such that any bit xi can be recovered with some probability p > 1/2 + e from px 

Note that we need not be able to recover all Xj's simultaneously from px, just any one Xi of our 
choice. Nayak proved a tight bound on m: 

Theorem 5 (Nayak) Every quantum random access code has m > (1 — H{p))n. 

The main idea of our proof is to show how the following state \U{x)) induces a quantum random 
access code. For u = Yl'i=o (i) define the pure states 




\U{x),) = ^ E (-l)^-^(^')^kT) and \U{x)) 



1 



m 




8 



Lemma 3 Suppose C : {0, 1}" ^ ({0, If is a {l,c,e)- quantum smooth code that uses b bits. 
Then given one copy of \U{x)), there is a quantum algorithm that outputs 'fail' with probability 
1 — 2^^^ /{cu) with u = Y^i=o (i)? ^/ succeeds it outputs Xi with probability at least 1/2 + e. 

Proof. Let us fix i G [n]. Suppose the quantum decoder of C makes query \Qir) to indices jor and 
jir with probability Pr- Consider the fohowing state 

= E V^l^)7f i\j0r)\U{x),J + \jlr)\Uix)jJ) . 
r ^ 

We first show how to obtain |Vi(x)) from \U{x)) with some probabihty. Rewrite 

m 

\Vi{x)) = j2<^j\4>j)\jmx)j), 

where the aj are nonnegative reals, and aj < c/(2m) because C is a QSC (the 1/2 comes from 
the amplitude l/\/2). Using the unitary map |0)|j) i— > we can obtain from the 

state \V-{x)) = X^JLi We thus have to show that wc can obtain \V-{x)) from \U{x)). 

Define operator M = v2™7^X]jLi ® ^ a^*^ consider a POVM with operators M^^M and 

J — M^M. These operators are positive because < c/2m. Up to normalization, M\U{x)) = 
\V^{x)). The probability that the measurement succeeds (takes us from \U{x)) to \V^{x))) is 

(C/(x)|MtM|i7(x)) = ^{U{x)\ (E, «'li)(il ® ^) \U{x)) = f E,-«' = l Now given |y,(x)) we 
can measure r, and then project the last register onto the sets Sor and Sir that we need for \Qir), 
by means of the measurement operator |jor)(jOr| (XiErcSor + lii»')0'ir| (XiEtcSi^ This 

measurement succeeds with probability but if it succeeds we have the state corresponding 

to the answer to query \Qir), from which we can predict Xi. Thus, we succeed with probability 
{2''/u) ■ (2/c), and if we succeed, we output Xj with probability 1/2 + e. □ 

We can avoid failures by taking many copies of \U{x)): 

Lemma 4 IfC : {0, 1}" ^ ({0, 1}^)™ is a {I, c,e)- quantum smooth code, then \W{x)) = |?7(.x))®^"/2''+i 
is a cu{log{m) + log{u)) /2^~^^ -qubit random access code for x with recovery probability 1/2 + s/2 
where u = ^to if) ■ 

Proof. We do the experiment of the previous lemma on each copy of \U{x)) independently. The 
probability that all experiments fail simultaneously is (1 — 2^+^/(cu))'^"/^''^^ < 1/2. In that case 
we output a fair coin flip. If at least one experiment succeeds, we can predict Xi with probability 
1/2 + e. This gives overall success probability at least 1/2(1/2 + e) + (1/2)^ = 1/2 + e/2. □ 

The lower bound for 2-query SCs and LDCs over non-binary alphabets is then: 

Theorem 6 IfC : {0, 1}" = ({0, 1}^)™- is a {2,c,e)-smooth code where the decoder uses only 

b bits of each answer, then m > 2'^"-i°s(") for d = {1 - H{l/2 + e/2^+i))2^+V(cu) = G(eV(2^c«)) 
and u = Ei=o if) ■ Hence m = 2"(^'"/(2'''=)) ifb = £. 
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Proof. Theorem |1] implies that C is a (1, c, e/2*)-quantum smooth code. Lemma 0] gives us a 
random access code of cu(log(m) +log(ti))/2*^"^ qubits with recovery probabihty p = l/2 + e/2*^"^. 
Finally, the random access code lower bound, Theorem [51 implies cii(log(m) + log(tt))/2''+^ > 
(1 — H{p))n. Rearranging and using that 1 — H{l/2 + r]) = Q{'rf') gives the result. □ 

Since a (2,(5, e)-LDC is a (2, 2/5, e)-smooth code (Theorem^), we obtain: 

Corollary 1 // C : {0,1}" ^ S"^ = ({0,1}'^)™ is a {2, 6, e) -locally decodable code, then m > 
2dn-iog{u) d = {I- H{l/2 + e/2^+i))(527n = e{Se^/{2^u)) and u = Y!l=i) (i) • Hence m = 

In all known non-trivial constructions of LDCs and SCs, the decoder outputs the parity of the bits 
that he is interested in. Then, we can prove: 

Theorem 7 If C : {0, 1}" —>■ = ({0, 1}^)*" is a {2, c,e) -smooth code where the decoder outputs 
/(5(ao|So),5(ai|sJ), with f,g : {0,1}^ ^ {0,1} fixed functions, then m > 2'^"-i°s(^') for d = 
n{ey{c£')) and I' = 

Proof. Transform C into a smooth code C : {0, 1}" ({0, 1}^')™ with £' = (^) by defining C'{x)j 
to be the value of g on all (^) possible 5-subsets of the original £ bits of C{x)j. We need only 1 bit 
of each C'{x)j, and can apply Theorem [HI □ 



5 Lower Bounds for Private Information Retrieval 

5.1 Lower bounds for 2-server PIRs that use few bits 

Here we derive improved lower bounds for 2-server PIRs from our LDC bounds. We use the 
following IHf Lemma 7.1] to translate PIR schemes to smooth codes: 

Lemma 5 (GKST) Suppose there is a one-round, (1 — r])-secure PIR scheme with two servers, 
database size n, query size t, answer size £, and recovery probability at least 1/2 + e. Then there is 
a (2, 3, e — r])-smooth code C : {0, 1}" — > ({0, 1}^)™, where m < 6 • 2*. If the PIR scheme uses only 
b bits of each server answer, then the resulting smooth code uses only b bits of each query answer. 

We now combine this with Theorem to slightly improve the lower bound given in ^21 and to 
extend it to the case where we only use b bits of each server reply. 

Theorem 8 A classical 2-server (1 — rj)-secure PIR scheme with t-bit queries, £-bit answers that 
uses b bits and has recovery probability 1/2 -|- e satisfies t = Q with u = X^^^g (i) ■ 

particular, ifb = £, then t = Q{n{e — rff' /2^^). 

Proof. Using Lemma we turn the PIR scheme into a (2,3, e — 7;)-smooth code C : {0,1}" 
({0, 1}^)™- that uses b bits of £ where m < 6 • 2*. From Theorem |H1 we have m > 2^"-i°g(") with 
d = Q{{e-7]f/{2^u)). □ 

If b is fixed, e = 1/2 and = 0, this bound simplifies to t = Q{n/£^), hence 
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Corollary 2 A 2-server PIR scheme with t-hit queries and i-bit answers has communication C = 
2(t + £) = r!(nV(ft+i)). 



For 6=1 this gives C = which is achieved by the square scheme of Sectional For b = 3 we 

get C = r2(n^/^), which is close to the C = 0(n^/^) of the cube scheme. As in Theorem [T] we can 
get the better bound t = — ■q)'^/ (^)) for PIR schemes where the user just outputs the parity 

of b bits from each answer. All known non-trivial PIR schemes have this property. 

5.2 Weak lower bounds for general 2-server PIR 

The previous lower bounds on the query length of 2-server PIR schemes were significant only for 
protocols that use few bits from each answer. Here we slightly improve the best known bound of 
4.4 log n 12 on the overall communication complexity of 2-server PIR schemes, by combining our 
Theorem IHl and Theorem 6 of Katz and Trevisan ^IQ^. We restate their theorem for the PIR setting, 
assuming for simplicity that e = 1/2 and rj = 0. 

Theorem 9 (Katz & Trevisan) Every 2-server PIR with t-bit queries and (.-bit answers has 
t > 2log{n/£) - 0(1). 

We now prove the following lower bound on the total communication C = 2{t-\-i) of any 2-server 
PIR scheme with t-bit queries and £-hit answers: 

Theorem 10 Every 2-server PIR scheme has C > (5 — o(l)) logn. 

Proof. We distinguish three cases, depending on the answer length. Let 6 = log logn/ logn. 

case 1: i< (0.5 - 5) logn. Theorem El implies C >t = ^(n^'^) = n{{lognf). 

case 2: (0.5 — 6) logn < i < 2.5 logn. Then from Theorem]^ we have 

C = 2{t + i)>2{2 log(n/(2.5 logn)) - 0{1) + {0.5 - 6) log n) = (5 - o(l)) log n. 

case 3: £> 2.5 log n. Then C = 2{t £) > 5 log n. □ 



6 Conclusion and Future Work 

Here we improved the best known lower bounds on the length of 2-query locally decodable codes 
and the communication complexity of 2-server private information retrieval schemes. Our bounds 
are significant whenever the decoder uses only few bits from the two query answers, even if the 
alphabet (LDC case) or answer length (PIR case) is large. This contrasts with the earlier results 
of Kerenidis and de Wolf which become trivial for logarithmic alphabet or answer length, and 
those of Goldreich et al. [H|, which only apply to linear schemes. 

Still, general lower bounds without constraints on alphabet or answer size completely elude us. 
Clearly, this is one of the main open questions in this area. Barring that, we could at least improve 
the dependence on b of our current bounds. For example, a PIR lower bound like t = 0,{n/i^^^'^'^) 
might be feasible using some additional quantum tricks. Such a bound for instance implies that the 
total communication is ^}{n^^^) for 6 = 3, which would show that the cube scheme of is optimal 
among all schemes of probe complexity 3. Another question is to obtain strong lower bounds for 
the case oi k > 3 queries or servers. For this case, no superpolynomial lower bounds are known 
even if the alphabet or answer size is only one bit. 
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